| 1 |
On Mon, Jun 4, 2012 at 12:19 PM, Dirkjan Ochtman <djc@g.o> wrote: |
| 2 |
> So to prevent your scenario, we'd |
| 3 |
> have to get everyone to check the signature of the tip of tree they |
| 4 |
> pulled before committing/merging. |
| 5 |
|
| 6 |
How can we be sure this has happened? |
| 7 |
|
| 8 |
This is the problem with signed manifests today. I can sign a |
| 9 |
manifest, but I didn't actually check all the files inside it, and the |
| 10 |
file might or might not have been signed before I modified it, and |
| 11 |
most likely I didn't even check the signature even if it was there. |
| 12 |
|
| 13 |
Anything we do has to be automated to be of any real value. Ideally |
| 14 |
if something goes wrong it should be as detectable as possible. |
| 15 |
|
| 16 |
Warts and all the current system hasn't broken down yet. However, if |
| 17 |
we ever did find out about an intrusion in our cvs repository, we'd |
| 18 |
essentially have to do a 100% code review to be sure it was OK, and |
| 19 |
that includes checking all tarballs on mirrors. |
| 20 |
|
| 21 |
With signed commits we could verify that the tree was intact, and if |
| 22 |
anything bad was found we could pinpoint exactly whose key was |
| 23 |
compromised and do a focused check on their commits. |
| 24 |
|
| 25 |
Rich |
Archives